1. Field of the Invention
The present invention relates to data communications and E-commerce, and more particularly, to a method and apparatus for detecting and reducing fraudulent use of Business-to-Consumer (B2C), Business-to-Business (B2B) and other transaction services using Personal Digital Identification (PDI) techniques.
2. Description of the Related Art
With the growing use of the Internet and the concurrent increase of E-commerce and other Business-to-Consumer (B2C) transactions, purchases of goods and services that are conducted without an individual present to show identification will also increase. Access to on-line accounts is also granted without the presence of an individual to confirm or authenticate the accessing user.
One B2C transaction problem of concern is credit card fraud. Hackers, scam artists, and criminals can always find a weak link in conventional authentication methods. This is because, although many measures have been developed to protect the card-issuing banks and consumers against fraud, they provide only illusory protection—what is authenticated is information that is known or possessed, not the individual. Accordingly, after the industry stops one leak, another leak is discovered and exploited.
Another B2C problem of growing concern is employee abuse of company resources, as access by employees to the Internet using company equipment is readily possible in most companies. Although not all employees abuse Internet service, the cumulative use of all employees can result in much time and resources being taken away from an employer.
Relatedly, supervision of a child's on-line activities is a concern for parents. Although there are many “parental control” software products available on the market, most reside directly on the end-user's PC and can be turned off at any time by either the minor or the parent and in some cases be circumvented by other software applications.
Another growing concern is subscription/account fraud. The exchange of account information among individuals is decreasing the revenues received by Internet Service Providers (ISPs). In addition to lost revenue on subscriptions that are not paid for comes the requirement for additional capacity to support authorized and unauthorized users accessing ISP services.
In addition to lost revenue from unauthorized “subscribers,” ISPs have other concerns. Many ISPs host web pages. One potential problem is if an intruder gains access to the host, the intruder may be able to change information on the host's web page, thus possibly subjecting the ISP to further liability. Moreover, an intruder could use a public web site as an entry point into a company's internal files and gain access to confidential information such as competitively sensitive business information or information about the company's clients and/or employees that could be protected by privacy laws. This could be particularly serious for an ISP that is also a cable company, which maintains extensive customer data. A related problem, referred to as a “Trojan Horse,” occurs when an intruder enters an ISP web site with the intention of gaining unauthorized access to other computer systems by concealing his/her true identity by use of the web site. Once again, potential ISP liability arises if the intruder launches his or her attack from the ISP's web site. Counteractive efforts that an ISP can undertake range from common-sense precautions to reporting suspicious activity to the FBI. Some of the more conventional methods include: posting a log-in banner that warns unauthorized users that they may be subject to monitoring; using audit trails within the computer network; keystroke level monitoring; caller identification; establishing internal passwords and changing them frequently; installing anti-virus software on every PC; installing “firewall” software to limit access; making back-ups of any damaged or altered files; maintaining old back-ups to demonstrate the status of the original; designating one person to secure potential evidence of fraudulent activity; establishing procedures to secure tape back-ups and print-outs.
In addition to B2C transactions, Business-to-Business (B2B) transactions encounter many of the same difficulties in authenticating the validity of activities committed by an individual. Although corporate and individual Digital Certificates and passwords/Personal Identification Numbers (PINs) are currently deployed, they can be shared and exploited if in the wrong hands.
All the conventional methods for reducing fraud have drawbacks and limitations. Primarily, firewalls and other logins and passwords do not protect against unauthorized access where the thief already knows account information, passwords or possesses digital credentials. Similarly, post-hoc fraud detection procedures can only be effective if the unauthorized user can be found and prosecuted.
Accordingly, there remains a need for a method and apparatus for proactively reducing transaction-based fraud where the requesting individual is not known, or physically present, to provide identification.